Thursday, January 10, 2013

This post on the Ruby on Rails Security group January 8th contained a few phrases that cause alarm when used together: "inject arbitrary SQL", "inject and execute arbitrary code" and "perform a DoS attack on a Rails application". Without going into detail the post discussed how user-provided YAML and Symbol data could be crafted to exploit Rails applications and given the identifier CVE-2013-0156.

Rails is used in many projects, including one of the most widespread pentesting frameworks available, Metasploit. Within hours of the post, Metasploit had a security update published for itself (2013010202) and was actively looking into creating a module for exploitation.

The only information to go with before the PoC was released was that Rails could take YAML or Symbol input through xml that could potentially be abused. The worry was that specifying arbitrary classes for string and hash YAML objects would allow attackers to find unsafe objects to abuse with malicious input.

Blog posts explaining the vulnerability have already been published such as this one by Ronin and this one by Adam O'Donnell from Sourcefire's FireAMP group. PoCs have also popped up, the most notable being this one on github and of course the Metasploit module that was rushed through overnight.

We here at the VRT started paying attention to this as soon as the first post came out on Google Groups, and with the help of Christopher Mcbee we wrote SIDs 25287 and 25288 to detect CVE-2013-0156, namely abusing YAML or Symbol object parameter passing to Rails via xml. They will be released in our next SEU, which is targeted for today.